Koler Ransomware Spreading Through SMS

A new Strain of Koler ransomware is back to terrorize android users according to reports by AdaptiveMobile security firm. The new stain has been reengineered to spread through SMS, holding infected phones hostage until the users pays a ransoms for alleged offences.

Koler ransomware (Koler.A) was first discovered in May spreading through pornographic websites, disguising itself as a legitimate app nabbing users who visited pornographic sites. One your device is infected, the malware locks your phone demanding a tip-off to unlock. The malware displays a message allegedly from a Law enforcement agency accusing the victim of participating in child pornography.

“The Android malware Koler, now spreads by text message and holds infected users’ phones hostage until a “ransom” is paid. AdaptiveMobile detected the emergence of the worm on October 19th, and has blocked thousands of messages from hundreds of infected phones,” stated the company in a blog post.

The new strain, worm.Koler spreads via SMS sending a shortened bit.ly URL notifying the victim that an account with their photos has been created. Clicking on the URL directs the user to a Dropbox where the malware is hidden in a “Photoviewer App.” Once downloaded the malware, locks the devices demanding a ransom of $300 via MoneyPak to unlock the device.

“Once installed, the malware blocks the user’s screen with a fake FBI page, which says the device has been locked due to pornographic or other inappropriate content. The user can “wave the accusations” by paying a fine using a Money Pak Voucher,” stated AdaptiveMobile in a blog.

Interestingly, the malware propagates itself by sending an SMS to all contacts on the victims address book saying, “Someone made a profile named – [victim’s name] – and he uploaded some of your photos! is that you? “http://bit.ly/img7821”. Once again the shortened URL points to a Dropbox hosting the same malware, and the cycle continues.

“This attack combines the techniques we have seen with worms like Selfmite with a traditional Android ransomware attack,” said Cathal Mc Daid, Head of Data Intelligence & Analytics at AdaptiveMobile. “Spreading the worm by SMS makes it more effective as people are more likely to respond to a link sent by someone they know.”

AdaptiveMobile warned Worm.Koler is spreading at an alarming rate, infecting users in at 30 countries within a short period. However, the malware is predominantly in US, accounting for over 75% of all reported infections.

“During this short period, we have detected several hundred phones that exhibit signs of infection, across multiple US carriers. In addition to this, other mobile operators worldwide—predominantly in the Middle East, have been affected by this malware,” said McDaid.

Meanwhile, it not clear whether the both Koler.A and the new strain, worm.Koler are authored by the same developers. The original malware, Koler.A displayed customized ransom screens reflecting the user’s location, but the variant displays the same pop-up regardless of location.

“We can’t tell for certain if it is the same attackers [as the original Koler], but in this case it looks like the attackers optimized it for the North American market – by only having a US-based pop-up screen – and there are differences in how the code is packaged,” McDaid said.

The first mitigation step is to disable app installation from “Unknown Sources” checkbox in your android security setting. Disabling this option will prevent installation of App from untrusted stores, some of which could contain malwares such as Worm.koler.

Although the Koler variant does not encrypt user’s files, uninstalling it through App management tool is difficult. The ransom screen displayed by the malware literally freezes the devices hindering any navigation. AdaptiveMobile advises affected users to reboot the devices in “Safemode” before uninstalling the “Photoviewer App” through Android uninstallation tool.

Affected users are advised not to pay the ransom because there is no guarantee the phone will unlock. It is also highly recommended for users to do a background check before installing any App. Look out for information such as, App rating, developer information and Permissions the App is requesting upon installation.

Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a Master degree, now he combines his passions for writing about internet security and technology for SecurityGladiators. When he is not working, he loves traveling and playing games.